Hello All, I have seen this showing up in my web server access logs for a few days now.. there are many of these... I am just showing one here.. Does anyone have any idea as to what this is? Is it dangerous? How do I protect my site against it? Thanks, Ahbaid. Entry begins: ------------- 12.207.13.41 - - [11/Mar/2003:18:08:40 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u90 -------------- Entry Ends
On Saturday 15 March 2003 05:42, Ahbaid Gaffoor wrote:
Does anyone have any idea as to what this is? Is it dangerous? How do I protect my site against it?
Thanks,
Ahbaid.
Entry begins: ------------- 12.207.13.41 - - [11/Mar/2003:18:08:40 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7 801%u90 -------------- Entry Ends
I forget if this is Code Red or Nimda, but it's one of the two. It's only dangerous if you're running an (unpatched) IIS server. The worst that happens to your apache server is that your logs could grow large.
Thank you Anders. Hooray, I use Apache on SuSE :) I added the following entry to my Apache config to ignore it, I found this aftre digging on google a bit... And yes thank you, it was Code Red... SetEnvIfNoCase Request_URI "^/default.ida" nolog Redirect gone /default.ida Anders Johansson wrote:
On Saturday 15 March 2003 05:42, Ahbaid Gaffoor wrote:
Does anyone have any idea as to what this is? Is it dangerous? How do I protect my site against it?
Thanks,
Ahbaid.
Entry begins: ------------- 12.207.13.41 - - [11/Mar/2003:18:08:40 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7 801%u90 -------------- Entry Ends
I forget if this is Code Red or Nimda, but it's one of the two. It's only dangerous if you're running an (unpatched) IIS server. The worst that happens to your apache server is that your logs could grow large.
On Friday 14 March 2003 9:14 pm, Ahbaid Gaffoor wrote:
Thank you Anders.
Hooray, I use Apache on SuSE :)
I added the following entry to my Apache config to ignore it, I found this aftre digging on google a bit...
And yes thank you, it was Code Red...
SetEnvIfNoCase Request_URI "^/default.ida" nolog Redirect gone /default.ida
You also can (err, perhaps "should") notify the originator and/or his ISP, if you can figure out who they are. If nothing else, you can claim this is "abuse" [as in DoS, sucking up your resources, or whatever...] There are some perl scripts out there that does most of the work for this, i.e., looks up the offending server to find which ISP block it belongs to, sends e-mails, etc. The other similar entry you're likely to see are requests for the script "cmd.exe", usually with a parameter of "/c+dir" -- there are about 15-20 different locations that will be tried, from the simplest (/scripts) to some rather complex attempts and getting around the MSDOS file system (such as /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir this was taken straight from my own log file ;) ) As it turns out, I had been getting these "cmd.exe" hits since the beginning of the month, mostly from one particular site. I figured out that the perpetrator was within my own ISP [pacbell] as a "traceroute" showed that the last hop before it went to "cust-rtr-<numbers>" was indeed a pacbell DSL line in northern california. So I emailed pacbell's support & abuse departments, and a day or two later these stopped -- only to be replaced by "default.ida?xxxxxxx...." from the same location :( [I suspect PB went ahead and told this guy, "you have an infected server", so he re-installed it and patched it for the cmd.exe problem, but in so doing, undid any patch he had covering the "default.ida" problem...]
The worst that happens to your apache server is that your logs could grow large.
fortunately, the volume of such is indeed currently fairly low -- 600+ hits for the month -- you can see this for yourself since I run awstats (take the "net" link from my homepage, scroll to the bottom, and click on the "404" hyperlink in the "error code" table) -- Yet another Blog: http://osnut.homelinux.net
On Sat, 15 Mar 2003, Tom Emerson wrote: [snip]
I added the following entry to my Apache config to ignore it, I found this aftre digging on google a bit...
And yes thank you, it was Code Red...
SetEnvIfNoCase Request_URI "^/default.ida" nolog Redirect gone /default.ida
You also can (err, perhaps "should") notify the originator and/or his ISP, if you can figure out who they are. If nothing else, you can claim this is "abuse" [as in DoS, sucking up your resources, or whatever...] There are some perl scripts out there that does most of the work for this, i.e., looks up the offending server to find which ISP block it belongs to, sends e-mails, etc.
I have been dealing with a varying amount of these attacks, too, though somewhat decreased lately. I found and installed a script that will attempt to locate the admin contact for the source IP block and send an email with evidence of the incident. I've found that it works very well and was easy to install. Check out: Early Bird v2.6 (http://www.treachery.net/earlybird/) Jim
----- Original Message -----
From: "Anders Johansson"
On Saturday 15 March 2003 05:42, Ahbaid Gaffoor wrote:
Does anyone have any idea as to what this is? Is it dangerous? How do I protect my site against it?
Thanks,
Ahbaid.
Entry begins: ------------- 12.207.13.41 - - [11/Mar/2003:18:08:40 -0600] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u 7
801%u90 -------------- Entry Ends
I forget if this is Code Red or Nimda, but it's one of the two. It's only dangerous if you're running an (unpatched) IIS server. The worst that happens to your apache server is that your logs could grow large.
-- Another plus for Linux :)
__________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
participants (5)
-
Ahbaid Gaffoor
-
Anders Johansson
-
Jim Cunning
-
LinuxWorld999
-
Tom Emerson